MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20ac81ea4886d0a2da81448ba4f783062b2066cb15df6da086d7b3b433f4fe26. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	20ac81ea4886d0a2da81448ba4f783062b2066cb15df6da086d7b3b433f4fe26
SHA3-384 hash:	8fa106db15c5ea6c2b255b07704749b6db3262c407329b565052fe37efe39bcdd345755c65e0f82d3dd5bb7d70d457d7
SHA1 hash:	b7b648da708cf459975e107a8e8c8df6ef7a9784
MD5 hash:	bc0514542be8ffc28a9ade13ee35cac2
humanhash:	hawaii-fanta-october-floor
File name:	SecuriteInfo.com.Win32.RATX-gen.23315.9043
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'285'632 bytes
First seen:	2022-11-07 10:10:43 UTC
Last seen:	2022-11-07 12:26:30 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:oG84JF1INrSTvt+kN7yCWKXHDute0fmiiQmb/RFuKaJLkS3PUo/2UQch+yhK+GTY:HNF1bVlpKMFaJr3s/UayAkdiS
Threatray	22'591 similar samples on MalwareBazaar
TLSH	T18255273436F57B10D1A645B3C7D1ACB50EF1AE11EC42FA2AE4A1130F8652FD5A9831EB
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	70e896f08e868e86 (5 x AgentTesla, 3 x SnakeKeylogger)
Reporter	SecuriteInfoCom
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

180

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

SecuriteInfo.com.Win32.RATX-gen.23315.9043

Verdict:

Malicious activity

Analysis date:

2022-11-07 10:12:11 UTC

Tags:

agenttesla

Link:

https://app.any.run/tasks/38c17e39-065e-4f40-b998-d2713f7f629d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/329801/

Detection(s):

SecuriteInfo.com.Win32.RATX-gen.23315.9043.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Сreating synchronization primitives

Creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6368d9b8a8436570d740a652/reports/18d0c8cf-6367-4867-8037-3cff3c60a243/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2a1bf7eb-c973-4ad4-a34f-250c6b5f974d

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1107136

Signature

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/20ac81ea4886d0a2da81448ba4f783062b2066cb15df6da086d7b3b433f4fe26/

Threat name:

Win32.Trojan.Taskun

Status:

Malicious

First seen:

2022-11-07 07:30:18 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ecwid2siq3ikfwubisf2j54dayvsazwlcxpw3ieg26z3im7u7yta._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

2c846418e413c6c0aea277acaa9b887709fdc2ae14fc9c72bee34ffdc7f2081f

AgentTesla

3c5f4d93aeffa9f2fbde93f4839e5d86562f6e51834ddf6e9446826b6372288f

AgentTesla

4ef5d37b29ba34c3c1a1d3dc36106c29aa043ba5869fadeb6ee52df7d13f8079

AgentTesla

605ade46e2008848c5d97ab59b76fa42ae845e3833545bf933b945ae6db9839f

AgentTesla

68b0ca4a930d91acb935c32d37632f2ecf8d3c95333739cc156e7e52a02cf08f

AgentTesla

90d411b4b7650a9098dc9fcc9792dd48749e410d49ef660287fee9336156646b

AgentTesla

+ 22'581 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/221107-l8g9bsdfam/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Adds Run key to start application

AgentTesla

Malware Config

C2 Extraction:

https://api.telegram.org/bot5646065819:AAF1LifptI6XX-TUofh5eIiiXwvLlkq6Iqw/

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/45b2328f-51ee-4dd6-bbcd-1a0f5c4bc9ac

Unpacked files

SH256 hash:

f3255ca08e0de16890d94861cd99002e1e8e9a1cc1d74b9d58f2935fae0fd8b9

MD5 hash:

2a050eafe5c404920b0de5532aae7c99

SHA1 hash:

b9eb59045fe41a6c3fdfb3afcc731fad14ea8774

Link:

https://www.unpac.me/results/1eec19b0-d2ad-41e3-b11d-736187c16e8f/

Parent samples :

1bba79e46b3a57c57208f5b0c0ea9601e7e63ed219fb9c93eb2d75fa1045fb05
cce7ec3b61ede4fdaf44b5b85c6175bc617650155e2913a076b1738dab059487
3805a0d8d5c31e2f0a26230bfbe046b71da707cec6047cfad58aa7fc76de8c36

SH256 hash:

85785cb8c58f76a12b55497cb19b8aa14750714ca5799deb6eb6465bdc0e9733

MD5 hash:

70b71f91eaa51cbe348b8bcc6f8a2bfa

SHA1 hash:

9fc1afbc35abaa9e9d1d0fcad8984bcb41283b1c

Link:

https://www.unpac.me/results/1eec19b0-d2ad-41e3-b11d-736187c16e8f/

SH256 hash:

a327516357b9fa1a75753b3fbd0030e13f374be7cefcdf983d0b731f278b0c59

MD5 hash:

404efdeb9931733904da07f96fabeb72

SHA1 hash:

7ce363cd612f1d9a90b33ec196c4d0a49cdaee02

Link:

https://www.unpac.me/results/1eec19b0-d2ad-41e3-b11d-736187c16e8f/

SH256 hash:

20ac81ea4886d0a2da81448ba4f783062b2066cb15df6da086d7b3b433f4fe26

MD5 hash:

bc0514542be8ffc28a9ade13ee35cac2

SHA1 hash:

b7b648da708cf459975e107a8e8c8df6ef7a9784

Link:

https://www.unpac.me/results/1eec19b0-d2ad-41e3-b11d-736187c16e8f/

Malware family:

AgentTesla.v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/20ac81ea4886/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/20ac81ea4886d0a2da81448ba4f783062b2066cb15df6da086d7b3b433f4fe26

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/329801/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample